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AMENDMENTS TO THE CLAIMS: 

This listing of claims will replace all prior versions, and listings, of claims in the application: 

1 . (Currently Amended) A computer-implemented method for assessing risk within an 
organization, comprising: 

defining one or more zones, each of said one or more zones comprising an environment; 

identifying one or more assets of said organization, each of said assets being located in a 
respective one of said zones; 

conducting a respective impact assessment for each of said assets, each assessment 
comprising assessing the impact of the loss of said respective asset; 

conducting for each of said zones a respective zone risk assessment, comprising assessing 
the risk level associated with placing a respective asset within said respective corresponding 
zone; 

conducting for each asset a respective asset risk assessment, comprising assessing the risk 
level associated with said respective asset independent of the respective zone of said respective 
asset; and 

assessing risk on the basis of at least said impact assessment, said zone risk assessments 
and said asset risk assessments by a processor . 



2. (Original) A method as claimed in claim 1, including identifying one or more asset 
custodians, each comprising a custodian of a respective asset, and identifying one or more asset 
owners, each comprising an owner of a respective one or more of said assets. 

3. (Original) A method as claimed in claim 2, wherein each of said custodians is an 
employee with care-taking responsibilities. 

4. (Original) A method as claimed in claim 1, including maintaining a register of said 

assets. 

5. (Original) A method as claimed in claim 4, wherein said register includes a respective 
owner of each of said assets. 
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6. (Original) A method as claimed in claim 1, including maintaining a register of said 

zones. 

7. (Original) A method as claimed in claim 6, wherein said register includes a respective 
custodian of each of said zones. 

8. (Original) A method as claimed in claim 1, wherein each of said assets is information 

related. 

9. (Original) A method as claimed in claim 2, wherein each of said assets is information 
related, and each of said asset custodians is an information custodian, each comprising a 
custodian of a respective information storage device within said organization. 

10. (Original) A method as claimed in claim 9, including defining at least four types of 
custodians: 1) physical and environment custodians, 2) network custodians, 3) software 
engineering custodians, and 4) MIS support custodians. 

1 1 . (Original) A method as claimed in claim 2, wherein each of said respective zone 
assessments is conducted by the respective custodian of said respective zone. 

12. (Original) A method as claimed in claim 2, wherein each of said respective asset 
assessments is conducted by the respective owner of said respective asset. 

13. (Original) A method as claimed in claim 1, including regarding the loss of an asset as 
equivalent to the loss of a system of which said asset is a part. 

14. (Original) A method as claimed in claim 1, including determining a measured risk 
for each asset, said measured risk for a respective asset comprising the product of 1) an impact 
level determined in said impact assessment and 2) the maximum of an asset risk determined in 
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said asset risk assessment and an asset risk determined in said zone risk assessment. 

15. (Original) A method as claimed in claim 2, wherein none of said custodians is an 

owner. 

16. (Original) An apparatus for assessing risk within an organization, comprising: 
data input means for inputting asset information into a register of assets, each of said 

assets being an asset of said organization, each of said assets being located in a respective zone; 

data storage for storing said register of assets, including for each of said assets said 
respective zone; 

means for receiving or storing a respective zone risk assessment for each of said zones, 
said respective zone risk assessment comprising an assessment of the risk level associated with 
placing a respective asset within said respective corresponding zone; 

means for receiving or storing a respective asset risk assessment for each asset, said 
respective asset risk assessment comprising an assessment of the risk level associated with said 
respective asset independent of the respective zone of said respective asset; 

means for receiving or storing a respective impact assessment for each of said assets, 
each assessment comprising assessing the impact of the loss of said respective asset, and for 
assessing risk on the basis of at least said impact assessment, said zone risk assessments and said 
asset risk assessments to thereby form a risk assessment; and 

output means for outputting said risk assessment. 

17. (Original) An apparatus as claimed in claim 16, wherein said apparatus is operable to 
associate with each of said assets an asset custodian, each comprising a custodian of a respective 
asset, and to associate with each of said assets at least one asset owner, each comprising an 
owner of a respective one or more of said assets. 

18. (Original) An apparatus as claimed in claim 16, wherein said register of assets 
includes a respective owner of each of said assets. 
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19. (Original) An apparatus as claimed in claim 16, wherein said apparatus includes data 
storage for storing a register of said zones. 

20. (Original) An apparatus as claimed in claim 19, wherein said zone register includes 
data for associating a respective custodian with each of said zones. 

21. (Original) An apparatus as claimed in claim 16, wherein each of said assets is 
information related. 

22. (Original) An apparatus as claimed in claim 16, wherein said apparatus is operable to 
treat the loss of an asset as equivalent to the loss of a system of which said asset is a part. 

23. (Original) An apparatus as claimed in claim 16, wherein said apparatus is operable to 
determine a measured risk for each asset, said measured risk for a respective asset comprising the 
product of 1) an impact level determined in said impact assessment and 2) the maximum of an 
asset risk determined in said asset risk assessment and an asset risk determined in said zone risk 
assessment. 

24. (Previously Presented) A computer-implemented risk management method, 
comprising: 

assessing risk according to the method of claim 1; and 
managing said risk. 

25. (Original) A method as claimed in claim 24, wherein said managing of said risk 
comprises: 

determining the distribution of the number of assets as a function of associated measured 

risk; 

determining a maximum acceptable risk level; and 

applying one or more controls if any of said assets exceeds said maximum acceptable risk 

level. 
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26. (Original) A method as claimed in claim 24, wherein said acceptable risk level 
comprises the lower of the highest available measured risk or 100%. 

27. (New) A method as claimed in claim 1, wherein said zones comprise at least one of 
each of a physical and environment zone, a network zone, a software engineering zone, and an 
MIS support zone. 

28. (New) An apparatus as claimed in claim 16, wherein said zones comprise at least 
one of each of a physical and environment zone, a network zone, a software engineering zone, 
and an MIS support zone. 



